Next steps on the cyber EO

The May 12 Executive Order on Improving the Nation's Cybersecurity tasked agencies with an ambitious to-do list; one White House official said it represents a "fundamental shift in our mindset" from incident response to prevention. Equally important, the American Rescue Plan Act's $1 billion infusion for the Technology Modernization Fund means there is a plausible way to pay for some of those efforts.

FCW recently gathered a group of federal IT leaders to explore what those developments mean in practice — where agencies are focusing their near-term efforts, how existing security programs can adapt and when new investments may be needed. The discussion was on the record but not for individual attribution (see page 94 for full list of participants), and the quotes have been edited for length and clarity. Here's what the group had to say.

A welcome forcing function

Most participants praised the executive order; several said it validated arguments they'd been making inside their agencies for years.

"You really need to look at using it as a forcing function to get after some of these things that departments and agencies have been told to do for close to a decade in some cases," one chief information security officer said. "Things like multifactor authentication and encryption — those things just should have been done a long time ago."

"We're looking at it as an opportunity to step back, clean up some things that should have been pushed over the finish line a long time ago," another official said. "And then looking for ways to set conditions to really take zero trust architecture seriously, and really develop an achievable plan."

A third participant pointed to the push for cloud-based computing and aa cloud-based security model, calling them "pivotal points" that "will impact the federal landscape for years to come."

Another official, who said their agency had been somewhat reluctant to rethink its cybersecurity models, called the order "an all-out charge to permanently change and shift the way we're doing business."

There were cautionary comments as well, though. One participant pointed to "a challenging environment where a lot of our systems and work is done on the classified side."

"I know the EO would like us to get there overnight," that official said, "but the reality is it's going to take a very long time."

Next step: zero trust

Over the course of a 90-minute discussion, the group touched a wide range of tactics the executive order calls for — everything from software supply chain security and improved logging to standardized contract clauses that spell out vendors' security obligations. Again and again, however, the conversation returned to zero trust as a cornerstone for future security.

"We've experienced pretty serious events over the past six months," one official noted. "And I think what we're all seeing is, it is demonstrating that we need a new paradigm to address those risks. And I think to most of us zero trust is a pretty good framework that describes what we need to do."

Multiple participants said their agencies had been talking about zero trust for some time, but now were moving quickly toward actual implementation.

"It's accelerating things," one official said of the executive order. "I'm pretty excited about how now, holistically as an agency, we're pushing those things forward."

The executive order is explicit in its requirement that agencies develop plans for adopting zero trust security principles, but one participant said the unspoken goals are even more ambitious. "There is a plan behind this, which may or may not be clear in the words of the EO, that we want to use zero trust as the sounding call to push us into the right direction, where we all acknowledge that we just can't trust the integrity of our networks now," that official said. "And we have to do something fast and move with alacrity to start addressing that. And it will be imperfect, that's true, but I do think we're organizing around the right principles at this point."

There is some hype around zero trust, several participants noted, particularly when it comes to vendors trying to hitch their products and services to the topic. But they did not see the concept going away.

"I hear a lot about, is this a buzz word? And three or four years from now, is it going to be a different sort of paradigm?" one official said. "I don't think so. I've asked others if they think so and I haven't heard anybody who's explained to me how it would be a different paradigm in three or four years. So, I think it's the right thing for us to be driving towards — I don't think it's going anywhere for a while."

Finally, a funding source?

Re-engineering an agency around zero trust architecture is an expensive undertaking, and one that is not likely to produce clear cost savings the way some modernization efforts can. "The big problem becomes the money," as one participant put it.

The executive order's reporting requirements, however, could ultimately help agencies build a business case, one official noted. Self-assessments are being used by the Office of Management and Budget to inform a "strategy-slash-implementation plan, trying to describe where agencies need to be on a first order of capability," that participant said.

"If you look at a capability maturity model for zero trust, and you can describe the future plan, we want to put agencies on a roadmap for three- to five-year investment plans to get to that first capability level," the official said. "We're working at guidance to help make it clear what that is and how to do that. And I think what we're also going to work to address is to try to answer a very elusive question of, What is sufficiency in the cyber budget?"

Other participants said the conversations in their agencies were already changing. The executive order "has enabled me to really do some of that education," one official said. "When I come to the bosses and I say, 'Look, yes, we're modernizing our application, but I have to spend $100,000 on servers and switches because the current ones that we're using, I can't make the changes I need to make.' So I have found that to be helpful."

Another noted that some of the key spending may have already occurred. "A lot of the investments that have been made over the last several years are fundamentally aligned with the concepts of zero trust," that official said. "We should be able to reuse a lot of the investments that have been made to get us there. It's not a net new buy from the ground up to get us moving toward zero trust."

Some agencies have already requested supplemental funding in fiscal year 2022 to address the damage caused by the SolarWinds compromise; one official noted that "there were significant plus-ups at nine agencies."

For most agencies, however, the Technology Modernization Fund offers perhaps the best chance for efficient new cybersecurity funding.

"We got a billion dollars," one official said. "That's a lot of money. We relaxed repayment so that there is the opportunity under certain conditions to have very minimal repayment, which means it's not a loan. It's an investment that an agency can make. And we are definitely seeing people tie zero trust plays together in project proposals."

Several other participants confirmed that their agencies had either applied for TMF funding or were in the process of doing so. The more-flexible repayment requirements were a key incentive, they said.

Yet while many "security investments aren't going to save money somewhere" and allow for quick repayment, one participant stressed that there does need to be a longer-term opportunity to realize savings.

"It cannot be always net additive," that official said. "It should be more realistically net zero, if you look over a two, three, four-year timeframe. So I want to emphasize that that we should be looking at all investments, all upgrades, all modernizations, regardless of whether it's cyber or not, in that manner."

Room for further improvement

For all the cheerleading that the executive order received in the roundtable discussion, participants had their constructive criticisms as well.

"It feels to me that it's a little bit more leaning towards reactive," one official said. "If this incident happens, you should do that. That's all great, but I think, ultimately, we need to move into more proactive stance as opposed to a reactive stance."

"I'm not trying to suggest that reactive solutions, and models and clearly identifying who's responsible for what is not important," the official continued, "but I think we need to start moving into a either a balanced approach or ultimately tilting towards a proactive thing."

And while the group appreciated the emphasis on whole-of-government efforts, there was some concern that it sent the wrong message.

"There's reference to all of our partner agencies," one official said. "CISA, NSA, FBI. They'll do this, they'll provide this guidance. It's all great stuff, but I feel it's a missed opportunity to call out that regardless of what these partner agencies are doing to support us, the agency head ultimately is still not off the hook. They have to do everything that they can possibly do themselves to make sure that they are protected and they're doing everything to protect their organization."